Hello everyone, It seems to me if the mail server administrators would make the decision to require people that send emails from their servers to log into a valid account on that server and use the same valid account on the server as a return address it would negate the ability of a large percentage of the spamers to send the spam anon. This would allow easier filtering of many of the offending messages by domain. Additionally, the sending account field and the reply to field should be equal and clients should be required to use an email address that is associated with the account used to log into the server in the first place. This will need to be implemented in the beginning by administrators who run software capable of it, and it would be implemented later as part of the email client and/or server software using new software releases, patches, and individual customizations of existing software. I know that there are many people who will scream and gnash their teeth at this suggestion as it will force them to identify themselves to anon mailing lists but I think it would be an acceptable compromise if we could eliminate a major portion of the spam clogging our inboxes. Clients need to be identified by ISP based email servers using their DNS and IP address footprints and clients attempting to send email with improper footprints should be disregarded (making it very difficult to send email from the server if you truly are not a valid subscriber to the service, much like many of the current news servers do). Then to deal with the anonymous email servers out there (hotmail, yahoo, etc...) the operators of those services should require clients logging into those accounts to send email from a valid IP address with no unsecured proxy services running on them (much like many IRC servers are doing) and transmit this IP information along with the email being sent. This would allow for pinpoint identification of the senders of spam using IP addresses MAC addresses and time stamped logs for the specific purposes of taking legal action against these network abuses. I know it will be argued that this will require cooperation between ISPs and that some systems are already implementing these measures but if all administrators as a single body insist that everyone adhere to these rules or be excluded from sending email to clients of their services and enforced this through IP block and domain blocking the stragglers would be forced to adhere to these rules. Further, if a body such as the IETF stood behind this and perhaps drafted specifications for administrators, and software developers to follow when making new clients/servers and updating existing clients/servers it would hold added weight in the market place. The extra cost associated with such actions could be offset by saved resources, and additional revenues made as a result of higher subscription rates justified by superior spam filtering techniques and a greater number of subscribers to the service due to better service quality. I would also like to suggest that the California law that requires all unsolicited emails be appended with adv: in the subject line be expanded to a federal law and additionally require emails that are solicited by signing up for a service include exact information about who the sender bought your email address from in the email. These are just some ideas I have had on eliminating spam and should in no way be considered a flame against anyone. I know there is no way that this will stop all unsolicited email from being sent or received. I just thought they might help to get some people rolling on a solution and that it would be better than complaining about it. After all doesn't a global solution make more sense than venting about what should be done to keep it out of this mailing list. Thank you for your time and attention, Douglas Huyler Dougxx2@carolina.rr.com 704-721-0212 P.S. I am sorry this email comes so long after the original post was made but I don't read the list very often and after reading this thread from the begining to December 6th I thought I would reply. If someone else has brought these things up after this point I am sorry, but I haven't caught up with the list yet. ----- Original Message ----- From: "Fred Baker" <fred@cisco.com> To: "Hallam-Baker, Phillip" <pbaker@verisign.com> Cc: <ietf@ietf.org>; <namedroppers@ops.ietf.org>; <iesg@ietf.org> Sent: Friday, December 06, 2002 4:41 PM Subject: RE: namedroppers, continued > At 08:28 AM 12/2/2002 -0800, Hallam-Baker, Phillip wrote: > >The only way to resolve this issue properly would be to require every > >submission to an IETF mailing list to be cryptographically signed (PGP > >or S/MIME), to require the subscribers to register their signing key and > >to then filter the mail sent out on the list so that only signed mail > >gets through. > > I would be in favor of that, personally, as long as we can ensure that the > appropriate signature facility (be it RSA, PGP, or whatever) is freely > available to all who need to use it. The issue here is not us corporate > types who have a business reason to buy the software, it is the students > who often lack the funds. The big issue would be the procedures for posting > one's key to the appropriate place - what is to stop a spammer from posting > a key and sending the spam anyway? I'm not proposing a mechanism, but > someone who is good at such things might well find it of value. > > It doesn't address the "off topic" issue. As you say, that could be left to > a working group chair equiped with formal procedures developed by consensus > within the work group or adopted by the working group from a more general > place (ie, the IETF could suggest a procedure, and the WG could adopt it if > it didn't feel another procedure would be better). > > I have had a private exchange, over the past few days, with someone who > wished that the IETF would please document some good spam-elimination > procedure, so that it could be used world-wide to completely eliminate > spam. I think that boils down to "provide a global PKI" in this solution, > and presumes that spammers are incapable of using one. That might be a > great research topic. Too bad nobody has ever thought of it before; we > could really use the outcome of that research. (OK, so it's a lame attempt > at humor...) > > I think it was Steve Bellovin that suggested a procedure for reducing the > utility of spoofing source addresses in emails; if not, it was me and I > happened to suggest something his favorite algorithm fit into, by having a > host in each mail domain (mailid.example.com) be able to assert that its > domain had or had not sent an email within a given recent time period > whose MD5 hash, when divided by <vector of prime numbers> resulted in > <vector of remainders>. I could write that up in an internet draft if folks > think it makes sense. That would be a more global procedure that didn't > require a PKI and only addressed spoofed addresses. >